Home page logo

basics logo Security Basics mailing list archives

RE: How hackers cause damage...
From: "Craig Wright" <cwright () bdosyd com au>
Date: Fri, 3 Mar 2006 11:34:12 +1100

"Fire them and get someone who does. Again, contrary to your belief
there are enough people who know (or can be trained to know) what to do.
I don't believe things are so much worse in Australia than they are here
in Germany."

***Prove it***.

Show me the data. The evidence to support your claim. Explain how the
over 2 billion hosts in the world can be secured with the number of
people in the industry.

Show some figures to demonstrate that there are enough people to cover
off all companies let alone all organisations.

Show me how the economic figures for ANY country could support this
increase. The US is having enough issues with SOX compliance and this
does NOT mean security. 

I would love to be in a world where everything was secured, but I miss
how this would be achievable at the moment. I see that a risk based
approach is possible, but HOW do we achieve security everywhere?

Please Ansgar, I challenge you to supply any of these arguments with
real data.


-----Original Message-----
From: Ansgar -59cobalt- Wiechers [mailto:bugtraq () planetcobalt net]
Sent: 3 March 2006 11:08
To: Craig Wright
Subject: Re: How hackers cause damage...

On 2006-03-03 Craig Wright wrote:
That's pretty obvious, because if life was more important, measures
would have been taken *before* an incident could have happened

Assuming all people know and understand IT let alone IT security. This

is not the case. Even where there are clear lines of criminal
responsibility for negligence - systems are not always secured.

I didn't say they were. I said they should be.

HIPPA in the US, NPP4 in Australia etc etc give provision for criminal

responsibility for systems administrators who have failed to
adequately secure systems, but this is of little comfort to the
families of somebody who gets to sue them. Most of these people do not

know what they have to do.

Fire them and get someone who does. Again, contrary to your belief there
are enough people who know (or can be trained to know) what to do. I
don't believe things are so much worse in Australia than they are here
in Germany.

For all your belief Ansgar there are not enough *trained* and
*experienced* security people to do everything. The opinion "It's just

that there are too many clueless people." is true I am sorry to say.
This is one of the flaws in your argument/thesis. There can not be
both too many people who do not understand and also enough people to
secure everything.

Why, of course there can. Having too many clueless people just means
that you have a harder time finding a clueful one, not that there aren't
enough clueful people.

PS Try not to get upset. You lose weight of argument to emotion.

I'm getting annoyed, not upset, because you seem to continually ignore
most anything I'm saying. For one last time: why do you believe it would
be helpful to prosecute the person that *exploited* a vulnerability
rather than the person that *created* the vulnerability?

Ansgar Wiechers
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. 

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.

The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]